1 / 48

E-Commerce And You

E-Commerce And You. Roger Blake Senior Information Systems Officer National Credit Union Administration. Lake Buena Vista, Fl. November 3, 2004. Notable Quotes. “…The Internet is the single greatest threat to the economy and national security of the United States today…”. Richard Clark

burt
Download Presentation

E-Commerce And You

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Commerce And You Roger Blake Senior Information Systems Officer National Credit Union Administration Lake Buena Vista, Fl November 3, 2004

  2. Notable Quotes “…The Internet is the single greatest threat to the economy and national security of the United States today…” Richard Clark President’s Chief Advisor of Critical Infrastructure National Security Council

  3. Notable Quotes “…Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet…” Louis J. Freeh Director of the FBI

  4. Notable Quotes “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Chairman of the SEC

  5. NCUA Strategic Plan2003-2008 Goal #2: Facilitate the ability of credit unions to safely integrate financial services and emerging technology in order to meet the changing expectations of their members.

  6. e-Commerce Services Does NCUA expect all credit unions to develop and implement e-Commerce services? No! NCUA encourages credit unions to consider offering e-Commerce services.

  7. Credit Union Statistics Website Trends June ‘98 – June ‘04 5300 Call Report Data

  8. Credit Union Industry Statistics Credit Union Websites

  9. Credit Union Industry Statistics

  10. Credit Union Industry Statistics Website Growth

  11. Credit Union Industry Statistics

  12. Computer Security Institute(CSI) Computer Security Issues & Trends 2004 CSI/FBI Computer Crime and Security Survey www.gocsi.com

  13. Key Findings • Unauthorized use and financial losses declined • Virus and denial of service top cost • Law enforcement reporting declined • Security audits used • Security outsourcing low • Sarbanes-Oxley impact • Security training needed

  14. Respondents

  15. Percentage of IT BudgetSpent on Security 2004: 481 Respondents/97%

  16. Technologies 2004: 483 Respondents/98% 2003: 525 Respondents/99% 2002: 500 Respondents/99% 2001: 530 Respondents/99% 2000: 629 Respondents/97% 1999: 501 Respondents/96% 1998: 512 Respondents/98%

  17. Unauthorized Use 1998: 515 Respondents/99% 1997: 391 Respondents/69% 1996: 410 Respondents/96% 2004: 481 Respondents/97% 2003: 524 Respondents/99% 2002: 481 Respondents/96% 2001: 532 Respondents/99.6% 2000: 585 Respondents/91% 1999: 512 Respondents/98%

  18. Breach Frequency 2002: 321 Respondents/64% 2001: 348 Respondents/65% 2000: 392 Respondents/61% 1999: 327 Respondents/63% 2004: 280 Respondents/57% 2003: 356 Respondents/67%

  19. Website Incidents 2004: 132 Respondents/27% 2003: 135 Respondents/25% 2002: 244 Respondents/49% 2001: 211 Respondents/40% 2000: 120 Respondents/18% 1999: 92 Respondents/18%

  20. Types of Losses 2004: 269 Respondents/54%

  21. Computer IntrusionsActions Taken 2004: 320 Respondents/65% 2003: 376 Respondents/71% 2002: 389 Respondents/77% 2001: 345 Respondents/64% 2000: 407 Respondents/63% 1999: 295 Respondents/57% 1998: 321 Respondents/72% 1997: 317 Respondents/56% 1996: 325 Respondents/76%

  22. Computer IntrusionsNot Reported 2004: 267 Respondents/54% 2003: 376 Respondents/71% 2002: 389 Respondents/77% 2001: 345 Respondents/64% 2000: 407 Respondents/63% 1999: 295 Respondents/57% 1998: 321 Respondents/72% 1997: 317 Respondents/56% 1996: 325 Respondents/76%

  23. Risk Assessment Risk Assessment Modeling

  24. e-Commerce Risks • Risk that are generally associated with e-Commerce and IT include: • Compliance • Transaction • Strategic • Reputation

  25. e-Commerce Risks • Potential impact of risks facing a credit unions engaging in e-commerce activities may include: • Lack of member trust due to poor public image • Potential legal or regulatory sanctions • Fraudulent loans, disbursements and withdrawal of member funds

  26. e-Commerce Risks • Potential impact of risks facing a credit unions engaging in e-commerce activities may include: • Misappropriation of funds • Extended disruption of member services • Unauthorized access to member data • Theft of confidential member data

  27. Risk Management

  28. Risk Management Process

  29. Risk Management ProcessIdentify Risks • Risk identification involves the evaluation of: • What risk categories impact the credit union as it relates to IT (e.g., operational, financial, informational, transactional)? • Which assets should be reviewed?

  30. Risk Management ProcessAssess Impact • Impact Assessment includes: • Threat Analysis • Asset Valuation • Vulnerability Analysis

  31. Risk Management ProcessPrioritization (Rank)

  32. Risk Management ProcessAction Plans (Mitigation) • Mitigation recommendations should, at a minimum, address: • The medium to high risk exposures • Those exposures that exceed management’s expectations and allowances (i.e., unacceptable risks)

  33. Risk Management ProcessAction Plans (Mitigation) • Recommendations can fall into one of four categories: • Preventative Safeguards • Mitigating Safeguards • Detective Safeguards • Recovery Safeguards

  34. Risk Management ProcessImplement, Monitor, Report • Implement revised strategies in a timely manner • Monitor the risks • Report results

  35. Outsourcing Vendor Management

  36. Outsourcing • Risk Management • Vendor Selection • Contracts • Oversight • Service Level Agreements

  37. OutsourcingRisk Management • Board of directors and senior management responsible for: • Understanding risks associated with outsourcing arrangements for technology services. • Ensuring effective risk management practices are in place.

  38. OutsourcingRisk Management • Board of directors and senior management responsible for: • Assessing how outsourcing arrangements will support the credit union’s objectives and strategic plans. • Assessing how relationships will be managed.

  39. OutsourcingVendor Selection • Selection criteria: • Ensure potential vendors have relevant expertise and references • Evaluate vendor’s capabilities, references, and personnel involved • Ensure stable financial position • Evaluate consequences of selecting inappropriate vendor

  40. OutsourcingContracts • As a minimum, contracts should address: • Scope of services • Cost and duration of services • Security and confidentiality • Audit and controls • Performance standards

  41. OutsourcingContracts • As a minimum, contracts should address: • Indemnification • Limitation of liability • Dispute resolution • Termination and assignment • Reporting

  42. OutsourcingOversight • Implement an on-going oversight program to monitor each service provider’s controls, conditions and performance • Monitor key indicators: • Financial condition and operations • Quality of service and support

  43. OutsourcingOversight • Monitor key indicators: • Contract compliance and required revisions • Access to credit union’s systems • Business contingency plans

  44. OutsourcingService Level Agreements • Clearly outline any service level agreements (SLAs) based on defined standards • Formal SLAs help to ensure outsourced vendor provides an appropriate level of service to credit union • SLAs should be confirmed by all parties involved and kept current

  45. Other Issues • Security • Privacy • Business Continuity • Regulation (Federal & State) • etc...

  46. e-Commerce: Do You Dare? ?

More Related